cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

235
Views
2
Helpful
1
Replies
Highlighted
Cisco Employee

ISE condition based on passive-id lookup failure ?

Hi,

Is it possible to have the below flow ?

1. Authz profile with passive-id tracking (ACL-A applied)

2. Passive-ID success (CoA and now apply ACL-B)

OR

3. Passive-ID look-up failure i.e. User not found (CoA and now apply ACL-C)

I am struggling to find on how to detect "passive-id --> User not found"  condition ?

The desired use-case\flow

1. Endpoint connected and limited ACL applied as needed for AD-Login (Passive-ID tracking enabled)

2. If Passive-ID is a success then Employee-ACL applied.

3. If Passive-ID look-up doesn't find the User then Guest-ACL applied.

I understand that we can probably add-on Guest Access to the "limited ACL" (In the Passive-ID tracking Authz rule) , if the above is not possible.

Thanks,

Naman

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

Re: ISE condition based on passive-id lookup failure ?

The Passive ID tracking option essentially states "for any user authorized with this policy, watch for any merged entries and issue CoA".  By merged entry, I am referring to case where a RADIUS session is correlated wit a Passive ID session based on matching IP address.

If there is no tracking enabled or if there is tracking but no merger of entries, then there will be no lookup based on Passive Identity.  In other words, if Passive ID lookup fails, then there is no merged entry to start with.  A tracked entry that is merged will trigger a CoA.  On reauth there will be option to match on Passive ID attributes.  Along with original authorization or post-merge authorization, you can choose to assign ACL, VLAN, SGT, etc.

Likely what you want is to combine limited access ACL (AD-Login) with Guest ACL or a CWA authorization to redirect web to a guest portal.  If AD user logs in, then they will match Employee Policy.  If not, then they will get redirected to guest portal.

Craig

View solution in original post

1 REPLY 1
Highlighted
Advocate

Re: ISE condition based on passive-id lookup failure ?

The Passive ID tracking option essentially states "for any user authorized with this policy, watch for any merged entries and issue CoA".  By merged entry, I am referring to case where a RADIUS session is correlated wit a Passive ID session based on matching IP address.

If there is no tracking enabled or if there is tracking but no merger of entries, then there will be no lookup based on Passive Identity.  In other words, if Passive ID lookup fails, then there is no merged entry to start with.  A tracked entry that is merged will trigger a CoA.  On reauth there will be option to match on Passive ID attributes.  Along with original authorization or post-merge authorization, you can choose to assign ACL, VLAN, SGT, etc.

Likely what you want is to combine limited access ACL (AD-Login) with Guest ACL or a CWA authorization to redirect web to a guest portal.  If AD user logs in, then they will match Employee Policy.  If not, then they will get redirected to guest portal.

Craig

View solution in original post